US10733303B1

Movatterモバイル変換

Info

Publication number: US10733303B1
Application number: US16/856,928
Authority: US
Inventors: Archishmat Sharad Gore; Brittany Blue Gaston; Devin Lim
Original assignee: Polyverse Corp
Current assignee: GORE, ARCHISHMAT
Priority date: 2020-04-23
Filing date: 2020-04-23
Publication date: 2020-08-04
Anticipated expiration: 2040-04-23

Abstract

Security-enhanced computing systems and methods are described in regard to a migration of at-risk software that is valid in a first language is translated to a second language and situated in a safer environment. If expressions in said first language are encountered in said safer environment, errors or other special handling may result.

Description

RELATED APPLICATIONS

None.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts informational data borne by one or more data-handling media in which one or more improved technologies may be incorporated.

FIG. 2 depicts informational data borne by one or more data-handling media in which one or more improved technologies may be incorporated.

FIG. 3 schematically depicts salient aspects of a system implementing a translational code migration in which one or more technologies may be implemented.

FIG. 4 schematically depicts salient aspects of a system implementing another translational code migration in which one or more technologies may be implemented.

FIG. 5 schematically depicts salient aspects of a system implementing another translational code migration in which one or more technologies may be implemented to facilitate trans-oceanic interactions.

FIG. 6 schematically depicts a client device in which one or more improved technologies may be incorporated.

FIG. 7 schematically depicts a server in which one or more improved technologies may be incorporated.

FIG. 8 depicts a flow diagram in which one or more improved technologies may be incorporated.

FIG. 9 depicts another flow diagram in which one or more improved technologies may be incorporated.

FIG. 10 schematically depicts a “waypoint” environment that may exist in migratory contexts like those ofFIGS. 1-5.

FIG. 11 depicts another flow diagram in which one or more improved technologies may be incorporated, one that may be used in flows like those ofFIGS. 8-9.

FIG. 12 depicts an operational flow in which one or more improved technologies may be incorporated.

DETAILED DESCRIPTION

The detailed description that follows is represented largely in terms of processes and symbolic representations of operations by conventional computer components, including a processor, memory storage devices for the processor, connected display devices, and input devices. Furthermore, some of these processes and operations may utilize conventional computer components in a heterogeneous distributed computing environment, including remote file servers, computer servers, and memory storage devices.

It is intended that the terminology used in the description presented below be interpreted in its broadest reasonable manner, even though it is being used in conjunction with a detailed description of certain example embodiments. Although certain terms may be emphasized below, any terminology intended to be interpreted in any restricted manner will be overtly and specifically defined as such.

The phrases “in one embodiment,” “in various embodiments,” “in some embodiments,” and the like are used repeatedly. Such phrases do not necessarily refer to the same embodiment. The terms “comprising,” “having,” and “including” are synonymous, unless the context dictates otherwise.

“Above,” “absent,” “after,” “aggregated,” “aliased,” “along,” “among,” “any,” “application-specific,” “applied,” “associated,” “at least,” “authorized,” “automatic,” “available,” “based on,” “because,” “between,” “compared,” “complete,” “component,” “comprising,” “conditional,” “configured,” “consecutive,” “corresponding,” “current,” “determined,” “digital,” “directly,” “distributed,” “downloaded,” “effective,” “encrypted,” “exceeding,” “executable,” “explicit,” “first,” “for,” “generated,” “greater,” “identified,” “illustrated,” “immediate,” “implemented,” “implicit,” “in lieu of,” “included,” “indicating,” “integrated,” “inversely,” “invoked,” “local,” “malicious,” “manifested,” “mobile,” “modified,” “more,” “near,” “networked,” “obtained,” “of,” “otherwise,” “particular,” “partly,” “pertaining,” “predicted,” “prior,” “private,” “provided,” “public,” “received,” “remote,” “respective,” “responsive,” “safer,” “scheduled,” “scrambled,” “second,” “sequencing,” “signaling,” “single,” “so as,” “special-purpose,” “specific,” “subsequent,” “suitable,” “supplemental,” “suspended,” “synonymous,” “taken,” “thereafter,” “third,” “through,” “toward,” “transistor-based,” “translated,” “triggered,” “trusted,” “unable,” “undefined,” “undue,” “updated,” “upon,” “upstream,” “valid,” “via,” “watermarked,” “wherein,” “wireless,” “without,” or other such descriptors herein are used in their normal yes-or-no sense, not merely as terms of degree, unless context dictates otherwise. In light of the present disclosure, those skilled in the art will understand from context what is meant by “remote” and by other such positional descriptors used herein. Likewise, they will understand what is meant by “partly based” or other such descriptions of dependent computational variables/signals. “Numerous” as used herein refers to more than one dozen. “Instantaneous” as used herein refers to having a duration of less than 0.1 seconds unless context dictates otherwise. “Immediate” as used herein refers to having a duration of less than 2 seconds unless context dictates otherwise. Circuitry or data items are “onboard” as used herein if they are aboard a vehicle or denoting or controlled from a facility or feature incorporated into the main circuit board of a computer or computerized device unless context dictates otherwise. Circuitry is “invoked” as used herein if it is called on to undergo voltage state transitions so that digital signals are transmitted therefrom or therethrough unless context dictates otherwise. Software is “invoked” as used herein if it is executed/triggered unless context dictates otherwise. One number is “on the order” of another if they differ by less than an order of magnitude (i.e., by less than a factor of ten) unless context dictates otherwise. As used herein a term like “PHP parser” or “second-language parser” is used to identify a parser that is configured to parse one or more versions of the identified language but unable to parse one or more other device-executable languages. As used herein “causing” is not limited to a proximate cause but also enabling, conjoining, or other actual causes of an event or phenomenon.

Terms like “processor,” “center,” “unit,” “computer,” or other such descriptors herein are used in their normal sense, in reference to an inanimate structure. Such terms do not include any people, irrespective of their location or employment or other association with the thing described, unless context dictates otherwise. “For” is not used to articulate a mere intended purpose in phrases like “circuitry for” or “instruction for,” moreover, but is used normally, in descriptively identifying special purpose software or structures.

Reference is now made in detail to the description of the embodiments as illustrated in the drawings. While embodiments are described in connection with the drawings and related descriptions, there is no intent to limit the scope to the embodiments disclosed herein. On the contrary, the intent is to cover all alternatives, modifications and equivalents. In alternate embodiments, additional devices, or combinations of illustrated devices, may be added to, or combined, without limiting the scope to the embodiments disclosed herein.

FIG. 1 schematically illustrates one or more distributed or other data-handlingmedia100 comprising one or more instances ofparsers114, ofinterpreters115, ofcompilers116, offunctions117, oftranslators118, of transpilers (e.g., combining atranslator118 with a compiler116), ofvulnerabilities119, ofservices120, or of othersuch software110 or other data items in which one or more technologies may be implemented. In some contexts, for example, such items may include various versions121-123 oflegacy programming languages125, each at least partly defined by a respective (instance of a)language specification130.Most primitives131,keywords132, orother terms133 of such languages correspond to one or more instances ofdefinitions135, ofrules137, or ofother protocols139 of parsing or translation, for example. Such relationships may be manifested in one or more dictionaries or other tables174, in machine-readable orother programming code175, or inother content176 such astranslations178. In some variants, for example, code that exists in afirst environment191 may include several programming instruction series181-183, some of which may feature avulnerability119 by which anexploitative script169 may be injected or otherwise built, subjecting thatenvironment191 to malware. Worse, as naked source code (such as conventional JavaScript or PHP scripts) exhibitssuch vulnerabilities119, present and

future instruction sequences

184,185 inother computing environments192 may likewise become vulnerable as more and more hackers understand them.

FIG. 2 schematically illustrates one or more memories or other data-handlingmedia200 comprising one or more instances ofparsers214, ofinterpreters215, ofcompilers216, offunctions217, oftranslators218, ofvulnerabilities219, ofservices220, or of other such data items279 in which one or more technologies may be implemented more safely. In some contexts, for example, such items279 may include various versions221-223 of polyscripted or other systematicallydiversified programming languages225 each at least partly defined by a respective (instance of a)language specification230. Most or allprimitives231,keywords232, orother terms233 of eachsuch language225 described herein correspond to one or more instances ofdefinitions235, ofrules237, or ofother protocols239 of parsing, for example. Such relationships may be manifested in one or more dictionaries or other tables274, in machine-readable orother programming code275, or inother content276 such astranslations278 by which one or more programming instruction series281-282 may each migrate to asafer computing environment292. As used herein terms like “safer” describe a software object relative to another object, signaling that the software object lacks one or more recognized attack-vector-vulnerabilities of the other object.

In some variants, for example, programming instruction series284-285 may at least avoid a risk of first-language scripts169 being injected intoenvironment292 by virtue ofenvironment292 lacking a first-language interpreter115 orsimilar vulnerability119. In some variants, for example, a suitablesecond language225 may be generated by scrambling as described here:

TABLE 1

Algorithm 1 scrambler

1:	# set of keywords:
2:	import json
3:	import random
4:	import string
5:	import sys
6:	import re
7:	import subprocess
8:	import signal
9:	import os
10:	from shutil import copyfile
11:	class PolyscriptConfig:
12:	@ staticmethod
13:	def random_string(kw_len):
14:	alphabet = string.ascii_lowercase
15:	return ″.join(random.choice(alphabet) for i in range(kw_len))
16:	def__init__(self, kw_len_max=7, kw_len_min=3):
17:	with open(′polyscript-config.json′) as json_file:
18:	config = json.load(json_file)
19:	self.scramble = config[″scramble″]
20:	self.v8_path = config[″v8_path″]
21:	self.backup_path = config[″backup_path″]
22:	self.dictionary_out = config[″dictionary_out″]
23:	self.dictionary = {i: self.random_string(random.randint

(kw_len_min, kw_len_max))

24:	for i in config[″consume″][″keywords″]}
25:	self.changed_files = dict( )
26:	PSC = PolyscriptConfig( )
27:	def backup_file(file_in):
28:	basename =′/′ + os.path.basename(file_in)
29:	path = PSC.backup_path
30:	if not os.path.isdir(path):
31:	os.makedirs(path)
32:	PSC.changed_files[file_in] = path + basename
33:	if not os.path.exists(path + basename):
34:	copyfile(file_in, path + basename)
35:	def file_process(input_path, permission, data=None):
36:	file_data = None
37:	try:
38:	with open(input_path, permission) as f:
39:	if permission == ′r′:
40:	backup_file(input_path)
41:	file_data = f.read( )
42:	elif permission == ′w′:
43:	print(input_path)
44:	file_data = f.write(data)
45:	except IOError as e:
46:	print(″I/O error({0}): {1} {2}″.format(e.errno,

e.strerror, input_path))

47:	print(″Attempting to restore original files.″)
48:	catch_exit( )
49:	return file_data
50:	def handle_keywords_txt( ):
51:	for file in PSC.scramble[″unquoted_kw″]:
52:	file_path = PSC.v8_path + file
53:	file_data = file_process(file_path, ′r′, None)
54:	for keyword in PSC.dictionary.keys( ):
55:	file_data = file_data.replace(keyword + ″,″,

PSC.dictionary[keyword] + ″,″)

56:	file_process(file_path, ′w′, file_data)
57:	def handle_string_replace( ):
58:	def string_attach(w):
59:	return ′″′ + w + ′″′
60:	sub_strings =list(map(string_attach, PSC.dictionary))
61:	regexp = re.compile(′\|′.join(map(re.escape, sub_strings)))
62:	for f in PSC.scramble[″quoted_kw″]:
63:	file_data = file_process(PSC.v8_path + f, ′r′)
64:	file_process(PSC.v8_path + f, ′w′,
65:	regexp.sub(lambda match:

string_attach(PSC.dictionary[match.group(0).strip(″″)]), file_data))

66:	replace_for_bootstrapper( )
67:	def handle_scanner_inl( ):
68:	parse_start = ″#define

KEYWORDS(KEYWORD_GROUP, KEYWORD)\\″

69:	parse_end = ″\n\n″
70:	file_data = file_process(PSC.v8_path +

PSC.scramble[″grouped_kw″], ′r′)

71:	start_index = file_dataindex(parse_start) + len(parse_start)
72:	end_index = file_data[start_index: ].index(parse_end) +

start_index

73:	pre_parse = file_data[:start_index]
74:	post_parse = file_data[end_index:]
75:	token_groups = file_data[start_index: end_index].split(″\n″)
76:	file_out = pre_parse +

parse_scanner_tokens(token_groups) + post_parse

77:	file_process(PSC.v8_path + PSC.scramble[″grouped_kw″],

′w′, file_out)

78:	def parse_scanner_tokens(tokens):
79:	tok_str_keyword = re.compile(′″(.+?)″′)
80:	parse = dict( )
81:	tokens[len(tokens) − 1] = tokens[len(tokens) − 1] + ′ \\′
82:	for i in tokens[1:]:
83:	m = tok_str_keyword.findall(i)
84:	if m:
85:	word = m[0]
86:	if word in PSC.dictionary:
87:	i = i.replace(word, PSC.dictionary[word])
88:	word = PSC.dictionary[word]
89:	parse[word] = i
90:	return group_keywords(parse)
91:	def group_keywords(parsed):
92:	keys = list(parsed.keys( ))
93:	keys.sort( )
94:	group = ″a″
95:	out = ″KEYWORD_GROUP(′a′) \\″
96:	for i in keys:
97:	if not i[0] <= group:
98:	group = i[0]
99:	out += ″\n″ + ″ KEYWORD_GROUP(′″ + i[0] + ″′)

\\″

100:	out += ″\n″ + parsed[i]
101:	return ″\n″ + out [:−1]
102:	def scramble_sources( ):
103:	handle_keywords_txt( )
104:	handle_scanner_inl( )
105:	handle_string_replace( )
106:	def replace_for_bootstrapper( ):
107:	if ′for′ in PSC.dictionary:
108:	out = file_process(PSC.v8_path + ″srdinit/

bootstrapper.cc″, ′r′)

109:	file_process(PSC.v8_path + ″src/init/bootstrapper.cc″, ′w′,

out.replace(PSC.dictionary[″for″], ″for″))

110:	def catch_exit( ):
111:	for original_path in PSC.changed_files:
112:	copyfile(PSC.changed_files[original_path], original_path)
113:	print(″Original Files restored.″)
114:	sys.exit(1)
115:	def handler(signum, frame):
116:	print(″SIGINT: Restoring original files.″)
117:	catch_exit( )
118:	def restore_originals( ):
119:	if os.path.exists(PSC.backup_path):
120:	print(″Backup directory found, replacing previously

polyscripted files with originals.″)

121:	for dirName, _, fileList in os.walk(PSC.backup_path):
122:	for f in fileList:
123:	file = dirName + ′/′ + f
124:	print(file)
125:	copyfile(file, file.replace(PSC.backup_path,

PSC.v8_path))

126:	def backup_dynamic( ):
127:	for fin PSC.scramble[″dynamic″]:
128:	backup_file(PSC.v8_path + f)
129:	gen = file_process(PSC.v8_path +

″tools/gen-keywords-gen-h.py″, ′r′)

130:	file_process(PSC.v8_path + ″tools/gen-keywords-gen-h.py″,

′w′, ″.join(gen.rsplit(′128′, 1)))

131:	def main( ):
132:	restore_originals( )
133:	if check_empty( ):
134:	return
135:	backup_dynamic( )
136:	scramble_sources( )
137:	file_process(PSC.dictionary_out, ′w′, json.dumps(PSC.

dictionary, indent=4))

138:	babel_transform( )
139:	final_d8( )
140:	call_subprocess( )
141:	check_fallthrough( )
142:	print(″Done. Scrambling Complete.″)
143:	def babel_transform( ):
144:	print(PSC.scramble[″printer″] + ″generators″)
145:	(_, _, filenames) = os.walk((PSC.scramble[″printer″] +

″generators″)).next( )

146:	for _file in filenames:
147:	cur_file = PSC.scramble[″printer″] + ″generators/″ +_file
148:	data_in = file_process(cur_file, ′r′)
149:	data_out = ″
150:	for _line in data_in.splitlines( ):
151:	if ″this.word″in _line and ″node.name″ not in _line and

″{grave over ( )}″not in _line:

152:	_line = _line.replace(″word(″, ″reserved(″)
153:	data_out = data_out + os.linesep + _line
154:	file_process(cur_file, ′w′, data_out)
155:	printer = file_process(PSC.scramble[″printer″] +

″printer.js″, ′r′)

156:	index = printer.index(″word(str) {″)
157:	out = printer.index] + ″″″reserved(str) {
158:	var dictionary = {″″″ + print_dictionary( ) + ″″″}
159:	this.word(str in dictionary ? dictionary[str] : str);
160:	}
161:	″″″ + printer[index:]
162:	file_process(PSC.scramble[″printer″] + ″printer.js″, ′w′, out)
163:	def print_dictionary( ):
164:	items = PSC.dictionary.items( )
165:	items_out = ″.join(map(lambda x: x[0] + ′: ″′ + x[1] + ′″, ′,

items))

166:	return items_out [:−1]
167:	def call_subprocess( ):
168:	try:
169:	subprocess.check_call([′node′, ′polyscriptify.js′, ′-p′,

′../test/cctest/′])

170:	except subprocess.CalledProcessError as e:
171:	print(″Call Process Error({0}): {1}at {2} - during

polyscripting cctest″.format(e.returncode, e.output, e.cmd))

172:	print(″Attempting to restore original files.″)
173:	catch_exit( )
174:	os.chdir(PSC.v8_path)
175:	try:
176:	subprocess.check_call([′python′, /tools/gen-keywords-

gen-h.py′])

177:	except subprocess.CalledProcessError as e:
178:	print(″Call Process Error({0}): {1}at {2} - error calling

keyword generator.″.format(e.returncode, e.output, e.cmd))

179:	print(″ERROR when calling ./tools/gen-keywords-

gen-h.py. Failing.″)

180:	catch_exit( )
181:	check_fallthrough( )
182:	def check_fallthrough( ):
183:	gen_file = ″./src/parsing/keywords-gen.h″
184:	file_process(gen_file, ′w′, file_process(gen_file,

′r′).replace(″/*FALLTHROUGH*/″, ″U_FALLTHROUGH;″, 1))

185:	def final_d8( ):
186:	x = file_process(PSC.v8_path + ″src/d8/d8-js.cc″, ′r′)
187:	starting = x.index(″D8(″) + len(″D8(″)
188:	ending = x.index(″)D8″)
189:	file_process(PSC.v8_path + ″src/d8/d8-js.cc″, ′w′,

x[:starting] + get_poly_snip(x[starting: ending]) + x[ending:])

190:	def check_empty( ):
191:	if PSC.dictionary:
192:	return False
193:	else:
194:	file_process(PSC.dictionary_out, ′w′,

json.dumps(PSC.dictionary, indent=4))

195:	return True
196:	def get_poly_snip(snip):
197:	process = subprocess.Popen(′[node′, ′polyscriptify.js′,

′-s′, snip], stdout=subprocess.PIPE)

198:	return process communicate( )[0]
199:	if __name__ == ′__main__′:
200:	signal.signal(signal.SIGINT, handler)
201:	sys.exit(main( ))

FIG. 3 schematically illustrates salient aspects of asystem300 by which at-risk software110 that is valid in afirst programming language125 operable in afirst environment391 can migrate to a translatedsecond programming language225 operable in asecond environment392 via one or more interstitial languages operable in one or more interstitial computing orother environments93A. This can occur, for example, in a context in which thefirst programming language125 includes well-known heritage-language terms133A-C implicitly or otherwise defined in aparser114,interpreter115,compiler116, or othersuch service120 operable (e.g., upon one ormore instruction series381,382) in thefirst environment391. For example alanguage specification130A of (an instance of) thefirst language125 may define aterm133A of “String” with acorresponding definition135A, aterm133B of “Import” with a corresponding definition135B, and aterm133C of “List” with acorresponding definition135C (e.g., in a table174A thereof). The use ofsuch services120 may impose one or more instances ofrules137A, ofparameters138A, or of other (aspects of)protocols139A as further described below.

Likewise, an interstitial language scrambled or otherwise derived from thefirst programming language125 may include variouscorresponding terms333A-C at least partly defined in aservice120 operable uponinstruction series383 in aninterstitial environment93A as shown. For example aninterstitial language specification330A as shown may define a heritage-language term333A of “String” with acorresponding definition335A, a derivedterm333B of “$tring” with an effectively identical definition, and another derivedterm333C of “String” with the same definition (e.g., in a table374A thereof). The use ofsuch services120 may impose one or more instances ofrules137A, ofparameters138A, or of other (aspects of)protocols139A as further described below.

In some contexts, one or more instances ofrules337A, ofparameters338A, or of other interstitial-environment protocols339A may manifest two or more suchsynonymous terms333A-C so as to implement interstitial watermarking as described below. Alternatively or additionally such manifestations may implement term aliasing that maintains human-readability in the derived interstitial language or in first-language instruction series384 selectively accessible in theinterstitial environment93A (e.g., so as to permit inductive function calls to compiledheritage code175 being triggered by one or morealiased terms333B-C) as further described below.

Likewise, alanguage225 scrambled or otherwise derived from thefirst programming language125 may include variouscorresponding terms233B-C at least partly defined in aservice220 operable upon

instruction series

385,386 in anenvironment392 as shown (e.g., in a table274A thereof). Forexample language specification230A as shown may maintain a derivedterm233B of “$tring” with an effectivelyidentical definition235A as that of another derivedterm233C of “String” so that either will behave (nominally) in the same way when invoked in theenvironment392. Alternatively or additionally a heritage-language term233A like “String” may be rendered inoperable in such downstream environments in some variants ofrules237A, ofparameters238A, or of other downstream-environment protocols239A. In some variants, for example,such protocols239A may comprise containerized monitoring, real-time notifications or lockdowns, or other exceptional security event handling.

FIG. 4 schematically illustrates salient aspects of asystem400 by which at-risk software110 that is valid in afirst programming language125 operable in afirst environment491 can migrate to a translatedsecond programming language225 operable in asecond environment492 via acompound translation478 with or without anyinterstitial environments93A. This can occur, for example, in a context in which thefirst programming language125 includes heritage-language terms133D-F implemented in aparser114,interpreter115,compiler116, or othersuch service120 operable in (an instance of) thefirst environment491. For example alanguage specification130B of (an instance of) thefirst language125 may define a term133D with a corresponding inductive definition135D, aterm133E with acorresponding bootstrap definition135E, and aterm133F with an explicitclosed definition135F (e.g., in a table174B thereof). The use ofsuch services120 may impose one or more instances ofrules137B, ofparameters138B, or of other (aspects of)protocols139B as described herein.

Likewise, alanguage225 derived from thefirst programming language125 may include human-readable or other corresponding terms233D-F at least partly defined in aservice220 operable uponinstruction series485 in anenvironment492 as shown (e.g., in a table274B thereof). For example,language specification230B as shown may include several working definitions235D-F each corresponding to a respective term even though some such terms were derived from self-referential, bootstrap, or other “open” upstream expressions. In some contexts, in whichenvironment492 is an instance ofenvironment392, moreover, one ormore rules237B,parameters238B, or other downstream-environment protocols239B may invoke special handling when evidence of injectedcode275 or other suspicious phenomena are encountered.

FIG. 5 schematically illustrates one or more distributed or other data-handlingmedia500 configured to facilitate trans-oceanic monitoring and comprising transistor-basedcircuitry528 in one ormore data networks550, in which one or more technologies may be implemented. In the interest of concision and according to standard usage in information management technologies, the functional attributes of modules described herein are set forth in natural language expressions. It will be understood by those skilled in the art that such expressions (functions or acts recited in English, e.g.) adequately describe structures identified below so that no undue experimentation will be required for their implementation. For example, anysession parameters566 or other informational data identified herein may easily be represented digitally as a voltage configuration on one or more electrical nodes (conductive pads of an integrated circuit, e.g.) of an event-sequencing structure without any undue experimentation. Each electrical node is highly conductive, having a corresponding nominal voltage level that is spatially uniform generally throughout the node (within a device or local system as described herein, e.g.) at relevant times (at clock transitions, e.g.). Such nodes (lines on an integrated circuit or circuit board, e.g.) may each comprise a forked or other signal path adjacent one or more transistors. Moreover, many Boolean values (yes-or-no decisions, e.g.) may each be manifested as either a “low” or “high” voltage, for example, according to a complementary metal-oxide-semiconductor (CMOS), emitter-coupled logic (ECL), or other common semiconductor configuration protocol. In some contexts, for example, one skilled in the art will recognize an “electrical node set” as used herein in reference to one or more electrically conductive nodes upon which a voltage configuration (of one voltage at each node, for example, with each voltage characterized as either high or low) manifests a yes/no decision or other digital data.

Such circuitry

528 may comprise one or more integrated circuits (ICs), for example, optionally mounted on one or more circuit boards. Whether implemented in a distributed cloud or within one ormore apparatuses529A-B described herein, transistor-basedcircuitry528 comprises an event-sequencing structure generally as described in U.S. Pat. Pub. No. 2015/0094046 but configured as described herein. Transistor-basedcircuitry528 may (optionally) include one or more instances ofevaluation modules531 configured for local processing, for example, each including an electrical node set541 upon which informational data is represented digitally as a corresponding voltage configuration551. Transistor-basedcircuitry528 may likewise include one or more instances of parsing modules532-533 configured for local processing, for example, each including an electrical node set542-543 upon which informational data is represented digitally as a corresponding voltage configuration552-553. Transistor-basedcircuitry528 may (optionally) likewise include one or more instances ofinvocation modules534 configured for triggering remote processing (using cloud-based instances of circuitry described herein, for example), each including an electrical node set544 upon which informational data is represented digitally as acorresponding voltage configuration554. Transistor-basedcircuitry528 may likewise include one or more instances of recognition modules535-537 configured for local processing, for example, each including an electrical node set545-547 upon which informational data is represented digitally as a corresponding voltage configuration555-557. Transistor-basedcircuitry528 may likewise include one or more instances ofinterface modules538 configured for implementing, for example, each including an electrical node set548 upon which informational data is represented digitally as a corresponding voltage configuration558.

In some variants, for example, a server orother apparatus529A in North America may manifest an instance of amigration path504 between an

original computing environment

191,391,491 and a

computing environment

292,392,492. Some such paths may pass through multiple computing or other interstitial environments93B-F of which some may provide one ormore rules337,parameters338, or other aspects ofrespective protocols339 thereof to implement one ormore watermarks522 orother security tags525 thereof, such as with a judicious use of non-printing characters. Alternatively, or additionally,cloud implementation circuitry528 or alocal apparatus529A (or a combination thereof) may maintain alist527 of tasks, needs, or resources as further described below. Alternatively, or additionally, one or more such interstitial environments93B-F may (optionally) each need a respective build script561 or run script562 or both as further described below, so that several clients seeking access to upstream content may each be monitored in a respectively distinct interstitial environment. A data flow diagram featuring aremote apparatus529B (e.g. a client, hub, or hacker in Europe) is provided atFIG. 12.

As used herein a “version” of a digital object refers to a variant having partial structural identicality with the object or partial functional identicality with the object (or both). For example, two “versions” of semicolons may exist in

respective programming languages

125,225 if at least one

rule

137,237,337 applicable to one does not apply to the other. As used herein a first version121-123 of an instruction series or other software object is “less safe” than a second version221-223 of the object if one ormore vulnerabilities119 present in the first version are not present in the second version. In some contexts, it is advantageous to migrate a population of instruction series to a less-safe language version or environment93C-D (e.g., to facilitate access by an authenticated entity for analysis or augmentation) and then to a safer version or environment93E.

Referring now toFIG. 6, there is shown aclient device600 in which one or more technologies may be implemented.Client device600 may include one or more instances ofprocessors602, ofmemories604,user inputs608, and of (speakers or other)presentation hardware612 all interconnected along with thenetwork interface606 via abus616. One ormore network interfaces606 allowdevice600 to connect via the Internet or other networks150).Memory604 generally comprises a random-access memory (“RAM”), a read only memory (“ROM”), and a permanent mass storage device, such as a disk drive.

Memory

604 may contain one or more instances ofoperating systems610, ofweb browsers614, of otherlocal apps624, or of other modules that facilitate operations described herein. These and other software components may be loaded from a non-transitory computerreadable storage medium618 intomemory604 of theclient device600 using a drive mechanism (not shown) associated with a non-transitory computerreadable storage medium618, such as a floppy disc, tape, DVD/CD-ROM drive, flash card, memory card, or the like. In some embodiments, software or other digital components may be loaded via thenetwork interface606, rather than via a computerreadable storage medium618. Special-purpose circuitry622 (implementing asecurity feature660, e.g.) may, in some variants, include some or all of the event-sequencing logic described herein. In someembodiments client device600 may include many more components than those shown inFIG. 6, but it is not necessary that all conventional components of a mobile device be shown in order to disclose an illustrative embodiment.

Referring now toFIG. 7, there is shown aserver700 in which one or more technologies may be implemented.Server700 may include one or more instances ofprocessors702, ofmemories704,user inputs708, and of (speakers or other)presentation hardware712 all interconnected along with thenetwork interface706 via abus716. One ormore network interfaces706 allowserver700 to connect via the Internet or other networks150).Memory704 generally comprises a random access memory (“RAM”), a read only memory (“ROM”), and a permanent mass storage device, such as a disk drive.

Memory

704 may contain one or more instances ofoperating systems710, ofwebsites714, ofaggregation modules726, or of media preference affinity services or other such scoring modules that facilitate modeling the preferences of a user/member. These and other software components may be loaded from a non-transitory computerreadable storage medium718 intomemory704 of theserver700 using a drive mechanism (not shown) associated with a non-transitory computerreadable storage medium718, such as a floppy disc, tape, DVD/CD-ROM drive, flash card, memory card, or the like. In some embodiments, software or other digital components may be loaded via thenetwork interface706, rather than via a computerreadable storage medium718. Special-purpose circuitry722 may, in some variants, include some or all of the event-sequencing logic described herein. In someembodiments server700 may include many more components than those shown inFIG. 7, but it is not necessary that all conventional components of a server be shown in order to disclose an illustrative embodiment.

FIG. 8 illustrates anoperational flow800 suitable for use with at least one embodiment, such as may be performed on aclient device600 orserver700 using special-purpose circuitry thereof. As will be recognized by those having ordinary skill in the art, not all events of information management are illustrated inFIG. 8. Rather, for clarity, only those steps reasonably relevant to describing the security-enhanced computing interaction aspects offlow800 are shown and described. Those having ordinary skill in the art will also recognize the present embodiment is merely one exemplary embodiment and that variations on the present embodiment may be made without departing from the scope of the broader inventive concept set forth in the clauses and claims below.

Operation

805 describes obtaining a prioritized list and attributes for each instruction series or similar item to advance.

Operation

820 begins an iterative protocol performed upon each instruction series or other item that may be needed in one or more downstream environments.

Operation

830 performs a configuration of any authorizations or similar resources that may be needed along an intended path for the item.

Operation

845 begins an iterative protocol performed upon each successive movement of the current item to a next downstream environment.

Operation

1100 signals invoking a flow by which the item may be advanced to the next downstream environment. SeeFIG. 11.

Operation

865 signals a repetition or conclusion of the iterative protocol performed to advance the current item downstream.

Operation

875 signals a repetition or conclusion of the iterative protocol performed upon each item moved.

Operation

885 signals a determination whether a current list still signals one or more migrations are needed. If so, control passes back tooperation805.

Otherwiseoperation899 signals a completion of theoperational flow800, such as by returning a result signaling a successful migration.

FIG. 9 illustrates anoperational flow900 suitable for use with at least one embodiment, such as may be performed on aclient device600 orserver700 using special-purpose circuitry thereof. As will be recognized by those having ordinary skill in the art, not all events of information management are illustrated inFIG. 9. Rather, for clarity, only those steps reasonably relevant to describing the security-enhanced computing interaction aspects offlow900 are shown and described. Those having ordinary skill in the art will also recognize the present embodiment is merely one exemplary embodiment and that variations on the present embodiment may be made without departing from the scope of the broader inventive concept set forth in the clauses and claims below.

Operation

915 describes obtaining an item list and attributes for each instruction series or similar item to advance.

Operation

925 describes identifying a farthest-upstream item.

Operation

935 describes configuring one or more resources at a next environment for which the furthest-upstream item is bound.

Operation

955 begins an iterative protocol by which other items alongside the furthest-upstream item are designated in turn.

Operation

970 signals a repetition or conclusion of the iterative protocol performed upon each item moved.

Operation

985 signals a determination whether a current list still signals one or more migrations are needed. If so, control passes back tooperation925.

Otherwiseoperation999 signals a completion of theoperational flow900, such as by returning a result signaling a successful migration.

Referring now toFIG. 10, there is shown awaypoint1000 comprising aninterstitial environment1092 positioned between one or moreupstream environments1091 and one or moredownstream environment1093. The one or more upstream environments feature an established or otherlegacy language specification130 in which at least one (kind of)legacy instruction1005 defines afirst argument1001 and asecond argument1002 in that order. As a part of one or moreupstream translations1078, however, a transposition is implemented so that in theinstruction1005 atenvironment1092, a correspondingfirst argument1001 must be presented after a correspondingsecond argument1002. Such atranslation1078 might effectively convert an IF-THEN instruction in a legacy language into a TH # N-/F instruction, for example, confounding malware that could otherwise glean or modify the meaning of an instruction series that included one or more such modified-grammar instructions1005.

FIG. 11 illustrates anoperational flow1100 suitable for use with at least one embodiment, such as may be performed on aclient device600 orserver700 using special-purpose circuitry thereof. As will be recognized by those having ordinary skill in the art, not all events of information management are illustrated inFIG. 11. Rather, for clarity, only those steps reasonably relevant to describing the security-enhanced computing interaction aspects offlow1100 are shown and described. Those having ordinary skill in the art will also recognize the present embodiment is merely one exemplary embodiment and that variations on the present embodiment may be made without departing from the scope of the broader inventive concept set forth in the clauses and claims below.

Operation

1110 describes readying an environment, such as by retrieving, accessing, or otherwise obtaining atranslator218 or local language specification230 (e.g., pertaining to an instantiation of one or

more environments

292,392,1092 described herein) or allocating computing resources for its use. SeeFIG. 12.

Operation

1120 begins an iterative protocol performed upon each instruction or other item segment (e.g., during an instruction series translation).

Operation

1130 performs a translation upon that segment from an upstream language into a current local language. As used herein a “local” feature may pertain to an interstitial or environment, irrespective of physical geography.

Operation

1140 signals a repetition or conclusion of the iterative protocol performed upon each item segment.

Operation

1150 begins an iterative protocol pertaining to each local rule (e.g., for multiple validation or

security rules

237,337 imposed by the

local environment

292,392,1092).

Operation

1160 applies the rule of the current iteration.

Operation

1180 signals a repetition or conclusion of the iterative protocol performed upon each local rule.

Operation

1199 signals a completion of theoperational flow1100, such as by returning a result to a

flow

800,900 that calledflow1100.

FIG. 12 depicts a particular scenario andprogressive data flow1200 in whichclient devices600 of respectivehuman clients10A-B interact with one ormore servers700 to facilitate creation or restoration of protected computing environments described herein. After anauthentication1222A in whichclient10A andcloud server700A each provide a keyword or other identifying information, one ormore parameters1224A are downloaded to initiate asession1226A during which one ormore client devices600 of thatclient10A have access to a unique environment derived from and accessible only with a combination of such identifying information from both sides.

Likewise, after anauthentication1222B in which anon-human hub20 andcloud server700A each provide a keyword or other identifying information, one ormore parameters1224B are downloaded to initiate asession1226B during which the hub has access to a unique environment derived from and accessible only with a combination of such identifying information from both thehub20 and theserver700A. Likewise after anauthentication1222C in which one or more otherhuman clients10B andcloud server700A each provide a keyword or other identifying information, one ormore parameters1224C are downloaded to initiate asession1226C during which one or morerespective client devices600 of thoseclients10B have access to a unique environment derived from and accessible only with a combination of such identifying information from both/all sides.

In this way,cloud server700A may facilitate respective secure environments such that sharing resources among clients occurs only in one-off environments1092 of which other entities are expected to have no access. As such a time-limitedadditional authentication1222D may be imposed by theserver700A on an unscheduled basis or in response toalien watermarks522, unexpectedhidden characters524, behavioral deviations from that of a prior code version221-223, or other such unforeseen phenomena being detected (e.g., by one or more risk-indicative-pattern recognition modules537) in such one-off environments1092. Such measures can be even for instruction series originally created in anopen programming language130 not conventionally susceptible of

migratory translations

178,1078 as described herein.

In some variants, for example,several terms233,333 in an interstitial orlanguage specification230,330 are each configured to haveseveral terms233,333 to have several characters in common with a corresponding legacy-language term133 so that thelocal language specification230,330 is not a legacy language expression but is human-readable as well as device-executable. Even arcane local language specifications can be satisfied by providingcustom code275 in the local environment that allows an instruction series to be modified and thereby temporarily violate thelocal language specification330A during modifications by an authenticatedhuman client10B. Once the hapless-but-privilegedhuman client10B finishes an attempted code modification, thecustom code275 can decide whether to restore one or moresuitable watermarks522 in the locally modified instruction series. This can occur in a context, for example, in which effective human participation in an upgrade would otherwise require falling back to outdated or otherwise untrustworthy heritage-language scripts181-183.

Referring again to the figures above, there are shown

several flows

800,900,1100 configured to coordinate or otherwise cause a migration of at-risk software110 that is valid in a first programming language125 (e.g., according to alanguage specification130 of the first programming language125). One ormore control modules532 are invoked so as to cause one or

more translators

118,218 remotely or otherwise to trigger atranslation178 of a first device-executable instruction series181 that is valid in thefirst programming language125 into a translated

instruction series

285,385 that is valid in asecond programming language225 but not in thefirst programming language125. This can occur, for example, in a context in which avoltage configuration552 on an electrical node set542 thereof manifests an eval result signaling such validity.

One ormore recognition modules537 that operates upon instruction series in the protected computing environment290 is configured to cause a second-language parser214 to recognize whether translatedcontent276 is valid in thesecond programming language225 by applying alanguage specification230 of thesecond programming language225 in lieu of thelanguage specification130 of thefirst programming language125. This can occur, for example, in a context in which a voltage configuration557 on an electrical node set547 thereof manifests an eval result signaling such validity.

One ormore implementation modules536 is configured to configure or otherwise provide a protected computing environment290 in which at least oneinterpreter215,compiler216, orother execution service220 thereof is configured to use the second-language parser214 to execute the translated

instruction series

285,385. This can occur, for example, in a context in which avoltage configuration556 on an electrical node set546 thereof manifests authorization for such processing. In some variants this allows the translated instruction series that is valid in thesecond programming language225 but not in thefirst programming language125 to be executed in the protected computing environment290 by applying alanguage specification230 of thesecond programming language225 in lieu of thelanguage specification130 of thefirst programming language125.

Although various operational flows are presented in a sequence(s), it should be understood that the various operations may be performed in other orders than those which are illustrated or may be performed concurrently. Examples of such alternate orderings may include overlapping, interleaved, interrupted, reordered, incremental, preparatory, supplemental, simultaneous, reverse, or other variant orderings, unless context dictates otherwise. Furthermore, terms like “responsive to,” “related to,” or other past-tense adjectives are generally not intended to exclude such variants, unless context dictates otherwise.

While various system, method, article of manufacture, or other embodiments or aspects have been disclosed above, also, other combinations of embodiments or aspects will be apparent to those skilled in the art in view of the above disclosure. The various embodiments and aspects disclosed above are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated in the final claim set that follows.

In the numbered clauses below, first combinations of aspects and embodiments are articulated in a shorthand form such that (1) according to respective embodiments, for each instance in which a “component” or other such identifiers appear to be introduced (e.g., with “a” or “an,”) more than once in a given chain of clauses, such designations may either identify the same entity or distinct entities; and (2) what might be called “dependent” clauses below may or may not incorporate, in respective embodiments, the features of “independent” clauses to which they refer or other features described above.

CLAUSES

1. (Independent) A security-enhanced computing method (e.g., performed via one or more flows ofFIG. 8, 9, or11) configured to facilitate or otherwise cause a migration of at-risk software110 that is valid in a first language125 (e.g., according to alanguage specification130 of the first language125), comprising:

invoking transistor-based circuitry (e.g., one or more control modules532) configured to authorize or otherwise cause one or more cloud-resident or

other translators

118,218 to translate a first device-executable instruction series181 that is valid (e.g., as an eval result178) in thefirst language125 into a translated

instruction series

285,385 that is valid in asecond language225 but not in thefirst language125;

invoking transistor-based circuitry (e.g., one ormore recognition modules537 optionally as a component of anexecution module538 that operates in the protected computing environment290) configured to cause a second-language parser214 to recognize whether translatedcontent276 is valid in thesecond language225 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125; and

invoking transistor-based circuitry (e.g., one or more implementation modules536) configured to host or otherwise provide a protected computing environment290 in which at least oneinterpreter215,compiler216, orother execution service220 is configured to use the second-language parser214 to execute the translated

instruction series

285,385.

2. The computing method of Clause1 whereby a safer version221-223 of the at-risk software110 includes the translated instruction series, comprising:

allowing the translated instruction series that is valid in thesecond language225 but not in thefirst language125 to be executed in the protected computing environment290 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125.

3. (Independent) A security-enhanced computing method (optionally performed on a

system

300,400,500 described above and) configured to trigger or otherwise cause a migration of at-risk software110 that is valid in afirst language125, comprising:

invoking transistor-based circuitry (e.g., one or more control modules532) configured to cause one or

more translators

118,218 remotely or otherwise to translate a first device-executable instruction series181 that is valid (e.g., as an eval result178) in thefirst language125 into a translated

instruction series

invoking transistor-based circuitry (e.g., one or more control modules533) configured to cause the one or

more translators

118,218 also to translate one or more additional device-

executable instruction series

182,183 that are valid in thefirst language125 but not in thesecond language225 each into a corresponding translated

instruction series

285,385 that is valid in thesecond language225 but not in thefirst language125;

invoking transistor-based circuitry (e.g., one or more recognition modules537) configured to cause a second-language parser214 to recognize whether translatedcontent276 is valid in thesecond language225 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125; and

invoking transistor-based circuitry (e.g., one or more implementation modules536) configured to (manifest or otherwise) provide a protected computing environment290 in which at least oneinterpreter215,compiler216, orother execution service220 is configured to use the second-language parser214 to execute the translated

instruction series

285,385 and at least one of the corresponding translatedinstruction series284 that are valid in thesecond language225.

4. The computing method of Clause3 whereby the protected computing environment290 can access most or allservices120 of the one or more additional device-executable instruction series284 without avulnerability219 to theservices220 being affected bykeywords132 orother code175 in thefirst language125 being present in the protected computing environment290, and whereby a safer version221-223 of the at-risk software110 includes the corresponding translatedinstruction series284.

5. The computing method of Clause3 whereby the protected computing environment290 can access most or allservices120 of the one or more additional device-executable instruction series284 without avulnerability219 to theservices220 being affected bykeywords132 orother code175 in thefirst language125 being present in the protected computing environment290 and whereby a safer version221-223 of the at-risk software110 includes the corresponding translatedinstruction series284, comprising:

allowing the translatedinstruction series285 that is valid in thesecond language225 but not in thefirst language125 to be executed in the protected computing environment290 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125; and allowing at least some of the safer version of the at-risk software that includes the corresponding translatedinstruction series284 to execute in the protected computing environment290 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125.

6. The computing method of any of the above Clauses wherein the one or

more translators

118,218 are configured to implement at least one

translation

178,278,478 of a

first instruction series

181,381 from thefirst language125 indirectly to a

second instruction series

185,385 in asecond language225 via an interstitial third language defined by aninterstitial language specification330A, wherein theinterstitial language specification330A defines at least oneterm333A that is absent from or otherwise undefined in alanguage specification230A-B of thesecond language225, wherein theinterstitial language specification330A defines at least oneterm333A that is undefined in thelanguage specification230A-B of thesecond language225 and has at least onesynonymous term333B-C in the interstitial language specification, and wherein the defined term of the interstitial language specification corresponds (e.g., as illustrated inFIG. 4) to a legacy term133D that is recursively defined (e.g., having an inductive definition135D) in thefirst language125.

7. The computing method of any of the above Clauses wherein the one or

more translators

118,218 are configured to implement at least one

translation

178,278,478 of a

first instruction series

181,381 from thefirst language125 indirectly to a

second instruction series

8. The computing method of any of the above Clauses wherein the one or

more translators

118,218 are configured to implement at least one

translation

178,278,478 of a

first instruction series

181,381 from thefirst language125 indirectly to a

second instruction series

185,385 in asecond language225 via an interstitial third language defined by aninterstitial language specification330A and wherein theinterstitial language specification330A defines at least oneterm333A that is absent from thelanguage specification230A-B of thesecond language225 and has at least one synonymous term333 in the interstitial language specification.

9. The computing method of any of the above Clauses wherein the one or

more translators

118,218 are configured to implement at least one

translation

178,278,478 of a

first instruction series

181,381 from thefirst language125 indirectly to a

second instruction series

185,385 in asecond language225 via an interstitial third language defined by aninterstitial language specification330A, wherein theinterstitial language specification330A defines at least oneterm333A that is undefined in alanguage specification230A-B of thesecond language225, and wherein theinterstitial language specification330A defines at least oneterm333A that is absent from thelanguage specification230A-B of thesecond language225.

10. The computing method of any of the above Clauses, comprising:

configuring thelanguage specification230 of thesecond language225 to replace more than half of theterms133 in thelanguage specification130 of thefirst language125 before atranslation278 of the first device-executable instruction series181 that is valid in thefirst language125 into the translated

instruction series

285,385 that is valid in thesecond language225, wherein thetranslation278 modifies one ormore grammar rules137 of thefirst language125 by transposing two

arguments

1001,1002 thereof.

11. The computing method of any of the above Clauses, comprising:

configuring one ormore grammar rules237 of thelanguage specification230 of thesecond language225 to adapt one ormore grammar rules137 of thefirst language125 by transposing two

arguments

1001,1002 within aninstruction1005 thereof so that afirst argument1001 that is expected earlier than thesecond argument1002 in thefirst language125 is altered in one ormore grammar rules237 of thesecond language225 so that a correspondingfirst argument1001 is expected later than a correspondingsecond argument1002 in one or morecorresponding grammar rules237 of thesecond language125.

12. The computing method of any of the above Clauses, comprising:

instruction series

285,385 that is valid in thesecond language225.

13. The computing method of any of the above Clauses, comprising:

establishing an authenticatedhuman client10A with limited access to the protected computing environment290;

configuringseveral terms233B-C in thelanguage specification230 of thesecond language225 each to have several characters in common with a corresponding legacy-language term133 so that thesecond language225 is human-readable as well as device-executable;

allowing a human-readable instruction series383 to violate thelanguage specification230 of thesecond language225 by permitting the authenticatedhuman client10A to view and edit the human-readable instruction series386; and thereafter

restoring a compliance with thelanguage specification230 of thesecond language225 by implementing anediting function117 that inserts or modifies one ormore characters524 thereof so as to reintroduce one or moresuitable watermarks522 back into the human-readable instruction series383.

14. The computing method of any of the above Clauses, wherein theinterstitial language specification330A includes one ormore rules237A that require one ormore watermarks522 to be implemented in a compliant instruction series383 (e.g., by interspersing one or more spaces selectively with other non-printing characters524).

15. The computing method of any of the above Clauses, wherein theinterstitial language specification330A requires one ormore watermarks522 to be implemented in acompliant instruction series383, comprising:

configuring several terms333 in theinterstitial language specification330A each to have several characters in common with a corresponding legacy-language term133 so that the interstitial third language is human-readable as well as device-executable;

causing a human-readable instruction series383 to violate theinterstitial language specification330A by allowing an authenticatedhuman client10A to view and edit the human-readable instruction series383 in the interstitial third language; and thereafter

restoring a compliance with theinterstitial language specification330A by implementing anediting function117 that reintroduces one ormore watermarks522 back into the human-readable instruction series383.

16. (Independent) A security-enhanced

computing system

300,400,500 configured to facilitate or otherwise cause a migration of at-risk software110 that is valid in a first language125 (e.g., according to alanguage specification130 of the first language125), comprising:

transistor-based circuitry (e.g., one or more control modules532) configured to authorize or otherwise cause one or more cloud-resident or

other translators

118,218 to translate a first device-executable instruction series181 that is valid (e.g., as an eval result) in thefirst language125 into a translated

instruction series

transistor-based circuitry (e.g., one ormore recognition modules537 optionally as a component of aninterpreter215 that operates in the protected computing environment290) configured to cause a second-language parser214 to recognize whether translatedcontent276 is valid in thesecond language225 by applying alanguage specification230 of thesecond language225 in lieu of thelanguage specification130 of thefirst language125; and

transistor-based circuitry (e.g., one or more implementation modules536) configured to assemble or otherwise provide a protected computing environment290 in which at least oneinterpreter215,compiler216, orother execution service220 is configured to use the second-language parser214 to execute the translated

instruction series

285,385.

17. The computing system of Clause16 configured as an instance ofsystem300.

18. The computing system of either of the above system Clauses and configured as an instance ofsystem400.

19. The computing system of any of the above system Clauses and configured as an instance ofsystem500.

20. The computing system of any one of Clauses16 to19, wherein the transistor-based circuitry thereof all resides on a single integrated circuit chip.

21. The computing system of any one of Clauses16 to19, wherein the transistor-based circuitry thereof all resides in a single apparatus529.

22. The computing system of any one of Clauses16 to19, wherein the transistor-based circuitry thereof all resides in one or more cloud-resident servers700.

23. The computing system of any of the above system Clauses and configured to perform a method selected from the above method Clauses.

With respect to the numbered claims expressed below, those skilled in the art will appreciate that recited operations therein may generally be performed in any order. Also, although various operational flows are presented in sequence(s), it should be understood that the various operations may be performed in other orders than those which are illustrated or may be performed concurrently. Examples of such alternate orderings may include overlapping, interleaved, interrupted, reordered, incremental, preparatory, supplemental, simultaneous, reverse, or other variant orderings, unless context dictates otherwise. Furthermore, terms like “responsive to,” “related to,” or other such transitive, relational, or other connections do not generally exclude such variants, unless context dictates otherwise.